Extend context to retrieve additional data from integrations or commands and map to fields. Extend context from the Cortex XSIAM CLI.
You can extend context either in a playbook task or directly from the Incident/Alert War Room command line. Whichever method you use, recommends that you first run your command with the raw-response=true
flag. This will help you identify the information that you want to add to your extended data.
Run your command with the extend-context flag
!
.<commandName>
<argumentName> <value>
extend-context=contextKey=JsonOutputPathFor example, to add the user and manager fields to context use the ad-get-user command, as follows:
!ad-get-user=${user.manager.username} extend-context=manager=attributes.manager::attributes=displayName
To output only the values that you set as Extend context, run the command with the ignore-ouput flag=true.
!ad-get-user=${user.manager.username} extend-context=manager=attributes.manager::attributes=displayName ignore-output=true
Example
By default, after adding an IBM Qradar v3 integration instance, offenses pulled from QRadar to Cortex XSIAM returns numerous fields, including
event_count
,device_count
,offense_type
,description
, etc. You can use extend context to show, which additional information is available. You can also use that information to map it to a field in Cortex XSIAM.Run the command
!qradar-offenses-list raw-response="true"
. From the context data, you should see that there are a number of fields that are returned.Identify the fields that you want to view and run your command. For example, to retrieve the number of devices affected by a given offense, as well as the domain in which those devices reside, run the following command:
!qradar-offences-list extend-context=device-count=device_count::domain_id=domain_id